powershell_events¶
Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: powershell_events
- Windows
Table schema¶
Name | Type | Description |
---|---|---|
time | BIGINT | Timestamp the event was received by the osquery event publisher |
datetime | TEXT | System time at which the Powershell script event occurred |
script_block_id | TEXT | The unique GUID of the powershell script to which this block belongs |
script_block_count | INTEGER | The total number of script blocks for this script |
script_text | TEXT | The text content of the Powershell script |
script_name | TEXT | The name of the Powershell script |
script_path | TEXT | The path for the Powershell script |
cosine_similarity | DOUBLE | How similar the Powershell script is to a provided ‘normal’ character frequency |
Query examples¶
select * from powershell_events;
select * from powershell_events where script_text like '%Invoke-Mimikatz%';
select * from powershell_events where cosine_similarity < 0.25;